In an ongoing effort to improve the cybersecurity of surface transportation systems and associated infrastructure, the Transportation Security Administration (TSA), a US government agency, announced changes to three security directives (SD) regulating passenger and freight railroad carriers.
These modified directives, which were set to expire on 24 October, have been extended for a year and contain modifications aimed at strengthening the industry’s defences against cyberattacks.
According to TSA, the three security directives, developed with extensive input from industry stakeholders and federal partners such as the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Transportation’s Federal Railroad Administration (FRA), improve cybersecurity preparedness and resilience for the US critical railroad operations.
It requires TSA-specified passenger and freight railroad carriers to adopt a flexible, performance-based strategy to prevent disruption and degradation of their infrastructure, corresponding to the TSA’s requirements for pipeline operators.
“The renewal is the right thing to do to keep the nation’s railroad systems secure against cyber threats, and these updates sustain the strong cybersecurity measures already in place for the railroad industry,” stated David Pekoske, TSA Administrator.
The revised security directives, Enhancing Rail Cybersecurity, and the revised SD series, Enhancing Public Transportation and Passenger Railroad Cybersecurity, include a requirement for covered owners and operators to test a minimum of two objectives in their Cybersecurity Incident Response Plan every year.
They also require including employees who have been identified by their positions as active participants in these exercises.
The revised security directive series, Rail Cybersecurity Mitigation Actions and Testing, also requires railroad owners and operators to annually submit an updated Cybersecurity Assessment Plan to TSA for review and approval and report the results from the previous year using a schedule for assessing and auditing specific cybersecurity measures for effectiveness such that all cybersecurity measures are assessed within a three-year period.
Pekoske said, “TSA’s partnerships with CISA, FRA and the railroad industry have been, and will continue to be, instrumental in our work towards strengthening resilience and preventing harm.”
